Chris Simms: We need to prioritise cyber security in this age of global risks

Chris_simsEarlier this year when the World Economic Forum launched its annual 2017 Global Risks Report, an obvious question was whether the global community had learnt from the previous 2016 Global Risks Report. The evidence suggested that it had not, or at least not enough to have prioritised and taken effective steps to mediate risk and avoid chaos. This was particularly notable in the technological sector, where cyber attacks have dominated national elections and international relations.

The report warned that the failure to understand and address the risks of cyber attacks could have far reaching consequences. No sector has been harder hit by cyber attacks than the healthcare industry, where health records contain large amounts of personal information. A 2016 analysis shows that the leading sector for cyber attacks was the healthcare industry (more so than financial services and manufacturing), where more than 100 million health records were compromised.

In Britain, these warnings were repeated over the past year. In July the NHS regulator, the Care Quality Commission, and the national data guardian, Dame Fiona Caldicott, warned that not only do cyber attacks threaten to “put patient information at risk of loss or compromise . . .  [they] also jeopardise access to critical patient record systems by clinicians.”

Set against this context and the events over the past few days, several points made by the 2017 Risks Report seem relevant to the WannaCry cyber attack that began last Friday and its impact on the NHS.

Firstly, it seems that the NHS was caught in the net of a non-targeted cyber attack. The health sector is large and crosscuts many other sectors; it is inevitably vulnerable to global risks of multiple sorts. Indeed, most of the risks cited by the Global Risks Report have a direct bearing on the health and wellbeing of ordinary people—and are therefore relevant to healthcare providers and health organisations. Few professions and institutions know more about inequalities, natural disasters, migration, violence, environmental disease, pandemics, and, indeed, cyber attacks than those related to health.

Secondly, as the interconnectedness of the world increases, so too do global risks. For example, while the NHS’s plans for a full roll-out of electronic records by 2020 reflects a desire to improve efficiencies and provide better healthcare for the patient, it also brings with it greater risks since it increases the (electronic) interconnectedness with other networks over which it has no control. The 2017 report warned that these risks are becoming more potent, more frequent, and more probable than ever before.

Thirdly, in making its recommendations, the Risks Report’s main message was to deal with risks and hazards before they turn into crises. This can be done through a culture of prevention, a thorough understanding of risk, by ongoing review of policies and priorities, and by good governance in support of collaboration and partnership. Yet an early review of the cyber attack on the NHS suggests a striking imbalance between the proactive and reactive, between strategic plans and operational plans. For example, when NHS Providers’ director of policy and strategy spoke with the BBC it was explained that trusts

“will have business continuity plans in place, which will mean that they will declare an internal incident. They will go into what’s called Silver Command and they will mandate a Silver Commander who will be absolutely responsible for sorting it out operationally and they won’t stop until it is sorted out . . . And this is the same approach that hospitals take to any outbreak, so if they had an outbreak of a physical illness, or a contagious illness, they would take a similar approach. They are very practiced in dealing with this.”

While this suggests a strong (and ultimately successful) operational plan to deal with the “outbreak,” there is inadequate evidence that it is matched by a strong prevention strategy, one that was commensurate with the overall investment in technology. For example, Personalised health and care 2020: a framework for action describes the government’s plan to embrace the electronic revolution to improve health and care, but it does not highlight cyber security—it is mentioned just once in the last sentence of the last paragraph in a section entitled “Build and Sustain Public Trust.” In contrast, the literature describing the strategies, programmes, and projects needed to implement electronic data systems in healthcare systems without exception cite the need to make cyber security a top priority.

Of course, the NHS’s struggle with cyber security is nested in a national political context. Government critics claim that the NHS had been left exposed by cuts to its budget and that “infrastructure budgets have been raided, have been cut back, which has meant hospital trusts have not been able to upgrade their IT systems.” Dr David Wrigley (deputy chair of the British Medical Association), who was on a panel that drew up guidelines on cybersecurity, said “it’s disappointing that funding hasn’t been given to upgrade the system. It needs urgent action by politicians . . . I don’t think it’s acceptable for politicians to say, ‘It’s all down to local NHS and management.’ They have got a duty to ensure everything is up to date.”

As the rest of the global community is learning this week, addressing the risk of cyber attacks is a shared responsibility, and as Krishna Chinthapalli warned last week in The BMJ, many hospitals are running on “ancient operating systems” and obsolete protection. Both the government and managers need to prioritise cyber security in this age of global risks.

Dr Chris Simms teaches at Dalhousie University, School of Health Administration, Halifax, Canada; he spent many years living and working in Africa’s health sector.

Competing interests: None declared.